From 46f7b7096450939fe03c95aa81ce06ae4bfca89d Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 28 Mar 2016 06:51:43 -0400
Subject: [PATCH] Enable reply/reply-all/forward buttons also in preview frame of message/rfc822
---
program/include/rcmail_output_html.php | 19 +++++++++++++++----
1 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 464008c..8dda8c3 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -224,6 +224,17 @@
*/
public function set_skin($skin)
{
+ // Sanity check to prevent from path traversal vulnerability (#1490620)
+ if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+ rcube::raise_error(array(
+ 'file' => __FILE__,
+ 'line' => __LINE__,
+ 'message' => 'Invalid skin name'
+ ), true, false);
+
+ return false;
+ }
+
$valid = false;
$path = RCUBE_INSTALL_PATH . 'skins/';
@@ -391,7 +402,7 @@
if ($override || !$this->message) {
if ($this->app->text_exists($message)) {
if (!empty($vars))
- $vars = array_map('Q', $vars);
+ $vars = array_map(array('rcube','Q'), $vars);
$msgtext = $this->app->gettext(array('name' => $message, 'vars' => $vars));
}
else
@@ -505,10 +516,10 @@
// write all javascript commands
$this->add_script($commands, 'head_top');
- // send clickjacking protection headers
+ // allow (legal) iframe content to be loaded
$iframe = $this->framed || $this->env['framed'];
- if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) {
- header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
+ if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') {
+ header('X-Frame-Options: sameorigin', true);
}
// call super method
--
Gitblit v1.9.1